Something I noticed when my Apple Watch was associated to the wrong SSID (and was placed on a vLAN different to that of its paired iPhone) was the repeated attempts it was making to set up an IPSEC connection to the iPhone.

I saw this in the logs of the firewall that sits between the vLANs:

2019-10-29T16:56:20+11:00 kernel: [5242514.662174] [ALEXT-Zone-Media-340-R] IN=eth0.6 OUT=eth0 MAC=00:50:56:00:00:00:08:f4:ab:00:00:00:08:00 SRC= DST= LEN=120 TOS=0x00 PREC=0x00 TT
 L=63 ID=64399 PROTO=ESP SPI=0xabd8402

Here the Watch is and the iPhone

Apple’s iOS Security Guide does not mention an IPSEC connection specifically but does discuss secure WiFi connections in case Bluetooth is unavailable.